20.xx: postponse LuCI HTTPS per default

[W. Michael Petullo]

I think making use of self-signed certificates in production is a bad
idea because (1) it reinforces poor practices, namely electing to trust
a self-signed certificate and (2) it does not authenticate the
server/router, a critical piece of the TLS security model.

My point of view is that we should delay HTTPS-by-default until we have
a scheme for establishing the identity of the router. Until then, we
should be honest and make use of HTTP.

-- 
Mike

:wq